Salin guna rawcopy
RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.binref:
https://www.jaiminton.com/cheatsheet/DFIR/#master-file-table
https://github.com/jschicht/RawCopy
13 February 2024
17 January 2024
Kibana KQL escape character
Need to escape these characters:
\():<>"*
\():<>"*
http.request.referrer: "https://example.com"
without quotes, must escape:
http.request.referrer: https\://example.com
This not work as expected because * is interprate as literal *:
http.request.referrer: "https://example.com*"
Instead use this:
http.request.referrer: https\://example.com*
File path issue in windows:
Kibana display value as:
C:\WINDOWS\system32\MRT.exe
But if you check in json, actual value stored in elastic is:
"c:\\windows\\system32\\mrt.exe"
Thus, to find all files in folder system32(and sub folder) you need to escape the backslash character:
file.path.caseless : c\:\\\\windows\\\\system32\\\\*
To find all files in folder system32(exclude sub folder):
file.path.caseless : c\:\\\\windows\\\\system32\\\\* and not file.path.caseless : c\:\\\\windows\\\\system32\\\\*\\\\*
Kibana KQL Wild Card
thefield.caseless: system32*
will match system32\\calc.exe (* is wildcard)
thefield: "system32*"
Not match system32\\calc.exe.(* is literal because it in quotes)
ref: https://www.elastic.co/guide/en/kibana/current/kuery-query.html
Subscribe to:
Posts (Atom)